Record DDoS Pummels Site With Once-Unimaginable 7.3Tbps of Junk Traffic

An anonymous reader quotes a report from Ars Technica: Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare. The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.

Cloudflare said the attackers "carpet bombed" an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack. [...] Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call. Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.

Site pummeled with junk traffic

[fahrbot-bot]

Also known as the Slashdot effect [wikipedia.org]. :-)

(In future ironic? news, Wikipedia slows to a crawl as young Slashdotters look up Slashdot effect.)

Re:

[cusco]

I remember a story on SlashDot where about half an hour after posting if you followed the link you just encountered a static page that said, "You assholes just killed our company's T-3 line."

Re:

[Valgrus Thunderaxe]

It's probably coming from hundreds of ISPs.

Re:

[h33t l4x0r]

It wouldn't be a DDOS if you could block it like that. It would just be a DOS.

Re:

[Pascoea]

Man. You should apply for a job. I bet they've never thought of doing that.

9300 HD movies

[too2late]

How much data is that in football fields?

Re:

[Tablizer]

50k State Farm commercials

Re:

[Slayer]

We don't know that, but we do know, that it will inevitably lead of monetary losses amounting to quadrillions for the Music and Film Industry of America (MaFIA).

I'm not implying anything

[AlanObject]

So just what customer has a 7TB+ uplink to their systems?

This reads a lot like a Cloudflare promo stunt.

Re:

[WidjettyOne]

Yes and no. The customer probably doesn't have a 7 Tbps+ uplink, but Cloudflare evidently does, and they intercepted the traffic before it got to the customer's uplink, prevented the customer's uplink from saturating and allowing it to continue with its normal traffic.

You're right that it's a Cloudflare promo, but in their absence it's very likely that the customer's link would have been unusable, so it's a justified promo.

I'd Be Crowing Too

[SlashbotAgent]

This is definitely promotional for Cloudflare.

And if I had the equivalent of 20 400Gbps links I'd be crowing too.

Re:

[cusco]

Cloudflare probably is monitoring the primary Internet connections that feed Iran, the Israelis are known for this (and other) sort of lawlessness.

Re:

[cusco]

With opinions that ignorant I'd post AC too . . .

Freedom Units

[brunes69]

How many floppy disks per football field is it?

There is nothing "well engineered" in that attack

[gweihir]

The really pathetic thing is how utterly easy such attacks are. IT security of almost all computer systems sucks, whith MicroShit a primary reason, but also cheap and cluelessly made Linux devices like IT cameras and the like (yes, if you configure default or no credentials, even Linux is insecure).

We urgently need liability. When something like this happens, Microsoft needs to go over the books and ask themselves "How many more can we survive with the billions this will cost us in damages and fines?" And those makers of small crappy IP devices need to simply die and the assets of their owners seized.

Re:

[cusco]

It's not just the "small crappy IP devices", I worked in physical security for 16 years and you would not believe how bad security is on many if not most security devices. The most expensive security camera I ever configured had a single user, 'root', and a password of '1234', and you could not change either one. Axis and Pelco were the only major manufacturers of cameras that seemed to understand that security devices need to actually be secure.

Free promotion or real journalism?

[mcpublic]

This is not serious journalism, it is free promotion of a Cloudflare press release. No independent confirmation. No naming of the customer.

Re:

[cusco]

Look around, the customer is almost certainly Iran and the attacker is almost certainly Israel.

22,000 destination ports of a single IP address?

[Anne Thwacks]

How many of those ports were open?

Most of my sites have a Honey Trap - if you access it you get the output of a random number generator formatted as an x86 core dump. Any human would close the connection immediately. Robots would quite likely think they have a database of trove and fill their H/Ds with garbage.

However, having read yesterday's news, I intend to make my next one format the data as a database of logins.

You are encouraged to steal that idea and do it for me!

Re:

[vbdasc]

And this will alleviate a DDOS attack... how?

Re:

[skogs]

So...yeah spoofed request IP...

Your garbage data was probably 5% of the attack.

A total of 34,500 ports ..

[Mirnotoriety]

> Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted

I thought IPVx only allowed for 65,536 ports.

Re:

[Slayer]

Yes, and of these theoretically possible 65,536 ports only 34,500 ports were attacked, which means this was not just random data, but carefully crafted and targeted data thrown at the victim.

"an almost incomprehensible amount of data"

[SendBot]

Wow! That's almost the price of a cell phone worth of used hard drives that could fit in a purse. Boggles the mind.
(I spent way too much time checking those numbers. You can get decent 10TB used SAS drives for about $80 with 1-year warranty)

Re: "an almost incomprehensible amount of data"

[OrangeTide]

Time is an illusion.

Hey Report Writers!!

[skogs]

Report Writers, Slashdot editors, and all you other nice people,

With stories like these, that specifically include broad ranging attacks with IOT and compromised devices in a bot net, please clearly mark the dates and times. I see a single cloudflare visual that shows 7.5Tb/s starting at 21:55:36 and going until 21:56:20. One could assume it is GMT, but it isn't listed for sure. One could also guess at the day, but it isn't clearly listed with the data.

If I knew which day to look at, and for sure what time frame, I could take a peek and make sure that I don't have some otherwise unidentified problem on my end. I'm moderately positive I am not involved, but if I am serving to give bad actors an extra IP to work from, I'd like to know.

These are shitty marketing fluff pieces. Oh look at how cool we are we detected it, we kept our client up, etc.
Alternatively these end up being philosophical shit pieces about ooooh look what could happen, look how far we've come.

No. I want a simple day and time. I want to know if the equipment in my enclave is involved. Start your goddamn reporting with that. Old newspaper style - yankees win 10-3 on friday night.
Not "oh you'll never believe what happened ...."

Losers

[Bahbus]

DDoS is the tool of losers and whiney babies. Literally only the biggest, absolute retards in the world resort to using them.